UW-Madison - IT - Data Classification Policy

There are four data classifications. From highest to lowest risk they are: Restricted (significant risk), Sensitive (moderate risk), Internal (some risk), and Public (little or no risk).

UW-Madison is adjusting the data classifications. A revision of the policy is in progress. In the meantime, here are the classifications as defined by the Data Stewardship Council.

Data Classifications

Restricted

Data should be classified as Restricted when the unauthorized disclosure, alteration, loss or destruction of that data could cause a significant level of risk to the University, affiliates or research projects. Data should be classified as Restricted if:

protection of the data is required by law or regulation, or

UW Madison is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed.

Sensitive

Data should be classified as Sensitive when the unauthorized disclosure, alteration, loss or destruction of that data could cause a moderate level of risk to the University, affiliates or research projects. Data should be classified as Sensitive if the loss of confidentiality, integrity or availability of the data could have a serious adverse effect on university operations, assets or individuals.

Internal

Data should be classified as Internal when the unauthorized disclosure, alteration, loss or destruction of that data could result in some risk to the University, affiliates, or research projects. By default, all Institutional Data that is not explicitly classified as Restricted, Sensitive or Public data should be treated as Internal data.

Public

Data should be classified as Public prior to display on web-sites or once published without access restrictions; and when the unauthorized disclosure, alteration, loss or destruction of that data would result in little or no risk to the University and its affiliates.

Process

The current policy identifies many specific data elements as being Sensitive, of which six of are identified as Restricted. These are still accurate as a starting point for classification. It is the process of classifying data that has changed.

The most significant change to the policy is to use the default classifications of data elements as a starting point, and then adjust the classification of a data set based on the combination of data elements present, the regulatory environment, etc. Context is important.

Until the policy is revised, please continue to use the list of sensitive and restricted data elements as they are documented below. These are still accurate as a starting point for classification.

Surrounding text in italics is not part of the official document.

Policy

In addition to the information identified below, there are times when a data field is not considered sensitive when used alone but may be so when paired with other data. An example is date of birth. Date of birth is not considered sensitive when it stands alone but if it is available along with social security number and name it is considered sensitive.

Sensitive information may be subject to disclosure under certain circumstances. The University appropriately seeks to maintain systems that protect sensitive information in order to meet a variety of goals.

The data types listed below are those identified as of 6/22/2010.[i]

Sensitive Information means:

Institutional Data that could, by itself or in combination with other such Data, be used for identity theft, fraud, or other crimes, including but not limited to,

Institutional Data whose public disclosure is restricted by law, contract, University policy, professional code, or practice within the applicable unit, discipline, or profession, including but not limited to:

Data Types:

Student educational records (including official photos)

Information in a persons medical record

Human subjects research information, if the subjects have been promised anonymity

Trade secrets or other proprietary business information owned by a third party and provided to the University upon a promise of confidentiality for the conduct of research, testing, or training, or in connection with a potential investment or transfer of technology by the University

Proprietary computer applications or source code to which the University holds a license that restricts further or public distribution

Exam questions and answers/scoring keys until distributed by the professor

Bids and proposals until they are opened or the deadline for their submission has passed

Employment data such as retirement account allocations and investments and designations of beneficiaries

Employee home address where an employee has asked it not be released

Documentation of grievance, arbitration, and disciplinary proceedings

Information about pending research misconduct proceedings

Financial aid applications and related tax and financial information

Information and records protected by the attorney-client privilege

Law enforcement investigation records

Information disclosed under the Universitys conflict of interest policies

Information from a consumer report

Information derived from servicing or collecting loans from, or accounts payable to, the University

Data related to those sensitive knowledge, technologies, equipment, software, biological agents or related services that are subject to United States Government export controls

University and personal security measures, including but not limited to,

Data Types:

Passwords for access to University facilities or computer systems

Security codes and combinations for locks

Key codes

Security plans

Security procedures

Threat assessments and preparedness strategies

Law enforcement deployment plans

Operational instructions for law enforcement officers and other emergency personnel

Institutional Data whose value would be lost or reduced by disclosure in advance of the time prescribed for its authorized public release, or whose disclosure would otherwise adversely affect the University financially, including but not limited to,

Data Types:

Research data or results prior to publication or the filing of a patent application

Non-patentable technical information or know-how that enhances the value of a patented invention or that has independent commercial value

Information relating to the Universitys intention to buy, sell, or lease property whose disclosure could increase the cost of that property for the University or decrease what the University realizes from that property (like real property appraisals)